7 replies to this topic

[Metallica]

Content is republished with permission from Malwarebytes.



The removal instructions are different from those for XP Security 2012, although it is the same malware, only with a different name on the label.
Please use these instructions if you are running Windows Vista or Windows 7.


The names for this rogue that you can find on a computer running Windows 7 and their main screens


Win 7 Antivirus 2012


Win 7 Antispyware 2012


Win 7 Home Security 2012


Win 7 Internet Security 2012


Win 7 Security 2012



How do I remove Win 7 Antivirus 2012 and its clones?

Please download Malwarebytes' Anti-Malware from here
If you are unable to do this from the infected computer directly, transfer the file from another computer.
Download the mbam-setup.exe to your desktop.

Now make sure extensions are shown. To do this, please look here
Then rename the mbam-setup.exe: to mbam-setup.com:
Then rightclick the mbam-setup.com and choose "Create Shortcut". This will create a shortcut on your desktop.



Doubleclick the newly created shortcut to run the installer.
This will launch mbam-setup.com in order to install Malwarebytes' Anti-malware.
At the last screen of the installer make sure the boxes to Update and Launch Malwarebytes' Anti-Malware are checked.



If the program does not start automatically after this you will have to navigate to your Program Files\Malwarebytes' Anti-Malware folder and locate the mbam.exe in there. Rename it to mbam.com and doubleclick mbam.com to launch Malwarebytes' Anti-malware.
Click the "Update" tab and click the "Check For updates" button.

Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.

• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart, so please allow MBAM to restart.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

You will be prompted to reboot the computer. Please do so.

Is there anything else I need to do to get rid of Win 7 Antivirus 2012?

• No, Malwarebytes' Anti-Malware removes Win 7 Antivirus 2012 completely.

Also note that the full version of Malwarebytes' Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):

• Dynamically Blocks Malware Sites & Servers
• Malware Execution Prevention

Save yourself the hassle and get protected.

[The Skeptic]

Hi.

A computer I dealt with was infected by Win 7 Antivirus 2012. I found it easiest to move the HD to another computer and there I ran full scans of Malwarebytes, SuperAntispyware and Avast. The malware seems to be removed and the annoying screens do not show anymore. Yet, many programs cannot be opened (most, not all of them) and when I click an icon a message shows up asking what program I want to use to open the file, showing, by default, windows media center.

My questions:

1: Is it a common damage done by the malware, and can it be fixed reliably and quickly without formatting.

2: I find that by moving the HD to a healthy computer and scanning it there I easily overcome problems such as non-booting or disabling of antimalware programs by the malware they are meant to remove. I also think that by doing so I expose every file on it, be it operating system, program or otherwise to the removal capabilities of the antimalware programs. This is not a procedure that the average user can do but It can be very helpful to the technician who is not a malware removal expert. Am I correct? I would greatly appreciate your learned opinion.


Kind Regards

The Skeptic

[Metallica]

Hi the Skeptic,

The reasons why I wouldn't scan the drive on a healthy computer:

• If there is some replicating malware present, you could infect the clean computer. I admit the chance is small, but ever since my work computer got infected by a virus on my VM, I am extra careful.
• You do not clean the registry, so you will get stuck with loads of orphaned registry entries which can be very annoying.

There are also some good reasons why one would do it, but I'm guessing you already know those.

As to 1. : This malware only intercepts all calls to exe files as far as I know
Is this when the drive is in the clean computer? Because it could be caused by shortcuts no longer being valid.
There could of course be other malware in action as well as these rogues are often bundled with other malware.

[The Skeptic]

Hi pieter,

First, thanks for your answer. As for invalid shortcuts, I tried to open the affected programs from "All Programs" menu and got the same negative results.

Now, the computer is no longer in my possession but I would like to clarify a point concerning "my" approach (moving the infected HD to a clean computer etc.) I understand the risks involved and accept them. My question is: do I understand correctly that when scanning the affected HD on a healthy computer the registry of the operating system on the affected HD is not scanned? If this is the case then this is a serious drawback to the way I do it. one of the reasons I adopted this method was that I thought that every single file will be exposed to the scanning programs. Am I wrong?

[Metallica]

Every file will be scanned, that is true, but the registry of the actual OS will be treated as such (a file).
While the registry of the scanned computer is getting treated as the registry: looking at keys where infections are expected.
In your case this is a clean computer, so nothing will be found.

So, looking at the MBAM log we have for the infection above, this section will not be clean when you put back the drive in the infected computer.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\{username}\Desktop\hml.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Documents and Settings\{username}\Desktop\hml.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

So this will still be in the infected computers registry:

[HKEY_CLASSES_ROOT\.exe\DefaultIcon]
      "(Default)"="'%1'"
    [HKEY_CLASSES_ROOT\.exe\shell\runas\command]
      "IsolatedCommand"="'"%1" %*'"
      "(Default)"="'"%1" %*'"
    [HKEY_CLASSES_ROOT\.exe\shell\open\command]
      "IsolatedCommand"="'"%1" %*'"
      "(Default)"="'"C:\Documents and Settings\{username}\Desktop\hml.exe" -a "%1" %*'"
    [HKEY_CLASSES_ROOT\exefile]
      "Content Type"="'application/x-msdownload'"
    [HKEY_CLASSES_ROOT\exefile\shell\open\command]
      "IsolatedCommand"="'"%1" %*'"
      "(Default)
        '"%1" %*' ==> '"C:\Documents and Settings\{username}\Desktop\hml.exe" -a "%1" %*'"
    [HKEY_CLASSES_ROOT\exefile\shell\runas\command]
      "IsolatedCommand"="'"%1" %*'"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
      "(Default)
        'C:\Program Files\Internet Explorer\iexplore.exe' ==> '"C:\Documents and Settings\{username}\Desktop\hml.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\hml\DEBUG]
      "Trace Level"=""
    [HKEY_CURRENT_USER\Software\Classes\.exe]
      "Content Type"="'application/x-msdownload'"
      "(Default)"="'exefile'"
    [HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command]
      "IsolatedCommand"="'"%1" %*'"
      "(Default)"="'"%1" %*'"
    [HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]
      "IsolatedCommand"="'"%1" %*'"
      "(Default)"="'"C:\Documents and Settings\{username}\Desktop\hml.exe" -a "%1" %*'"
    [HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon]
      "(Default)"="'%1'"
    [HKEY_CURRENT_USER\Software\Classes\exefile]
      "Content Type"="'application/x-msdownload'"
      "(Default)"="'Application'"
    [HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command]
      "IsolatedCommand"="'"%1" %*'"
      "(Default)"="'"%1" %*'"
    [HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command]
      "IsolatedCommand"="'"%1" %*"'
      "(Default)"="'"C:\Documents and Settings\{username}\Desktop\hml.exe" -a "%1" %*'"

But the file these values point at "C:\Documents and Settings\{username}\Desktop\hml.exe" will be gone.
Thus resulting in errors.

I hope I explained that clear enough. If not don't hesitate to ask.

[The Skeptic]

Hi Pieter.

Thanks again. Like I said I am not an expert on malware removal but the bottom line of your explanation is clear: My approach is flawed because the registry of the OS on the infected disk is not scanned as it should. I'll stop this practice.

Thanks for your clarification.

Regards

Ami Yogev

[Metallica]

Your method can be used if the infected system is too slow or if it is in any other way impossible to clean itself.
Removing the files can resolve such problems, but a good registry scan of the infected machine will still be necessary.

Glad I could help.

[Oh_crap]

you guys are awesome, thanks for all the easy instructions